Hi Piotr If you look at the below given statement from the snippet, it refers to both side. It should be the KS and GM right?
"Then both sides compute a DH secret and use it to protect the new keying material contained in KD." Snippet from RFC 3547 3.2.1. Perfect Forward Secrecy If PFS is desired and the optional KE payload is used in the exchange, then both sides compute a DH secret and use it to protect the new keying material contained in KD. The GCKS responder will xor the DH secret with the KD payload and send it to the member Initiator, which recovers the KD by repeating this operation as in the Oakley IEXTKEY procedure [RFC2412]. Implementation of the KE payload is OPTIONAL. With regards Kings With regards Kings On Tue, Jan 25, 2011 at 11:17 PM, Piotr Matusiak <[email protected]> wrote: > Kings, > > As far as I know the TEK and KEK are generated by the KS using random > number generators. > SKEYID_e is used for encryption of GDOI messages. Then for Rekey, the KEK > is used. > > Regards, > Piotr > > > 2011/1/25 Kingsley Charles <[email protected]> > >> Hi all >> >> A question which is totally out of the CCIE's scope but if any one has >> inputs, please provide. >> >> As you all know that GDOI messages are protected by ISAKMP Phase 1. >> >> The ISAKMP Phase 1 generates the following: >> >> SKEYID_a which authenticates the ISAKMP Phase 1 messages >> SKEYID_e which encrypts the ISAKMP Phase 1 messages >> SKEYID_d which is used to derive the keying materials for IPSec >> >> GDOI uses two keys TEK and KEK. >> >> Is SKEYID_e used to derice the keying material for KEK and TEK? >> >> >> Please don't ask me to refer RFC 3547, I went through it :-) >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
